What to learn from the $10 million Subway POS hack

21.09.2012
Two Romanian hackers will serve time for targeting Subway in a $10 million point-of-sale conspiracy involving 150 restaurants in 2011.

guilty Monday to one count of conspiracy to commit computer fraud and two counts of conspiracy to commit access device fraud, while Cezar Butu pleaded guilty to one count of conspiracy to commit access device fraud. Dolan was sentenced to seven years in prison while Butu received 21 months. The third alleged hacker is awaiting trial in New Hampshire, while a fourth remains at large.

It's not just the hackers who are to blame, however; Subway's sloppy business practices left the chain vulnerable.

The hacking scheme exploited remote desktop software installed on the computers connected to the point-of-sale (POS) devices. Remote access software allows a third-party to access a PC or other device, usually for the purpose of updating, repairing, or otherwise monitoring said device.

In this particular hack, Dolan identified using the Internet. Next, Dolan hacked into these systems using the pre-installed remote desktop software, and installed key-logging software on them. The key-logging software allowed Dolan to record all of the transactions that went through the compromised systems, including customers' credit card data.